An Access Control Framework for Business Processes for Web Services * Hristo Koshutanski Fabio Massacci Dip. di Informatica e Telecomunicazioni - Univ. di Trento via Sommarive 14 - 38050 Povo di Trento (ITALY) {hristo,massacci}@dit.unitn.it ABSTRACT Business Processes for Web Services are the new paradigm for the lightweight integration of business from different en- terprises. Whereas the security and access control policies for ba- sic web services and distributed systems are well studied and almost standardized, there is not yet a comprehensive proposal for an access control architecture for business pro- cesses. The major issue is that a business process describe complex services that cross organizational boundaries and are provided by entities that see each other as just partners and nothing else. This calls for a number of differences with traditional as- pects of access control architectures such as • credential vs classical user-based access control, • interactive and partner-based vs one-server-gathers-all requests of credentials from clients, • controlled disclosure of information vs all-or-nothing access control decisions, • abducing missing credentials for fulfilling requests vs deducing entailment of valid requests from credentials in formal models, • “source-code” authorization processes vs data describ- ing policies for communicating policies or for orches- trating the work of authorization servers. Looking at the access control field we find good approxi- mation of most components but not their synthesis into one access control architecture for business processes for web services, which is the contribution of this paper. * This work is partially funded by the IST programme of the EU Commission, FET under the IST-2001-37004 WASP project and by the FIRB programme of MIUR under the RBNE0195K5 ASTRO Project. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. ACM Workshop on XML Security, October 31, 2003, Fairfax VA, USA Copyright 2003 ACM 1-58113-777-X/03/0010 ...$5.00. Categories and Subject Descriptors D.4.6 [Operating Systems]: Security and Protection—Ac- cess controls, Information flow controls ; H.3.5 [Information Storage and Retrieval]: Online Information Services— Commercial services, Web-based services ; H.4.1 [Information Systems Applications]: Office Automation—Workflow man- agement ; K.4.4 [Computers and Society]: Electronic Com- merce—Distributed commercial transactions General Terms Management, Design, Security, Languages Keywords Web Services, Interactive Access Control, E-Business, Secu- rity Management, Distributed Systems Security, Controlled Disclosure. 1. INTRODUCTION Middleware has been the enterprise integration buzzword at the end of the past millennium. Nowadays a new paradigm is taking hold: Web services (WS for short). Setting hype aside, the major difference between middleware solutions (CORBA, COM+, EJB, etc.) and WS is the idea of lightweight integration of business processes from different enterprises. The security of basic WS is well studied and standard- ized [6]. There are also many approaches [35, 37, 4, 16, 13, 5, 33] for controlling access to services and trust manage- ment in distributed systems and an advanced standardiza- tion process for policies and access control (see for instance the OASIS proposals [12, 26]). However, with the notable exceptions of provisional access control [22] and trust nego- tiation [36], access control models rest on the idea that the server picks the evidence you sent on who you are (creden- tials) and what you want (request), checks its evidence on what you deserve (policies) and makes a one-off decision. Moving up in the WS hierarchy from single services to or- chestration and choreography of WS and business processes the picture changes. Business processes describe complex services that cross organizational boundaries and are pro- vided by partners. The paradigmatic example in the WS standards is a travel agent WS that must orchestrate a combination of plane and train tickets, car rental, hotel booking and insurance, each service offered by different partner which may or may not be involved according to the actual unrolling of the workflow. For example consider the problem of going to a nice “Shake- spearian Tour” in Italy: you might decide to go to the city